| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.
This commit ensures puppet will not downgrade to SSLv3 by setting the
`OpenSSL::SSL::OP_NO_SSLv3` bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".
[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
|
|
Previously, puppet's webrick server did not specify which ciphersuites
it would accept. Depending on the ruby and openssl, the default set of
ciphersuites is:
$ ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]'
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Note that "ALL:!ADH" does not exclude AECDH, and the default param
string includes "LOW", e.g. DES-CBC-SHA.
This commit updates the webrick ciphersuites to match the value used
in passenger in commit 204b2974b. The resulting ciphersuites are:
[["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
["CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
["AES256-SHA", "TLSv1/SSLv3", 256, 256],
["CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
["AES128-SHA", "TLSv1/SSLv3", 128, 128]]
|
|
Webrick will now reject SSLv3 connections. If an SSL client tries to
connection with SSLv3, webrick+openssl will issue an sslv3 alert
handshake failure.
|
|
The :undef symbol was still leaking all over the place internally. This
caused type inference to sometimes end up with Runtime[ruby, Symbol]. By
using nil instead of :undef, everything can be much more
straightforward. Once the code removal for puppet 4 comes into play even
more oddities around how resource parameters are handled can be
performed.
|
|
The lookup function only works when the future parser is in effect. This
changes the spec tests to turn on the future parser.
|
|
(PUP-3401) Fix type calculations of "all Patterns"
|
|
In order to ensure that we don't encounter this issue again, add
a test case to environments_spec to ensure that the cache is being
properly cleared.
Additionally, fix a small bug in environment's list method where
a string should been converted to a symbol.
|
|
ffrank/ticket/3.7.x/PUP-3357-purge-unnamed-ssh-keys
(PUP-3357) purge unnamed ssh keys
|
|
Just makes sure that the user type and ssh_authorized_keys provider
generate pseudo-names for keys following the same pattern.
|
|
The type calculator did not correctly compute assignability for
a non parameterized Pattern. Such a Pattern is equal to "any string",
and is thus assignable from any other Pattern, Enum or String.
This was missing in the calculator and this resulted in Pattern neither
being equal to, less than, or greater than parameterized patterns.
|
|
(PUP-3201) Treat :undef as PNilType
|
|
The test of behavior when a module directory is specified as part of an
environment but is missing on disk was hidden inside another test. This
splits it out and calls out that the behavior is that the directory is
simply ignored.
|
|
When a previous commit changed from get() to get!() the agent stopped
being able to use an environment that is available on the master, but
not available locally. I had misread the code and missed a trailing
`&&`. This caused me to think that the environment lookup in this case
was required, where in fact it is still optional.
This changes the structure of the code to make it much clearer that the
environment is optional, changes from get!() to get(), and adds some
tests around these code paths.
|
|
(PUP-3244) ENC ignores missing directory environments
|
|
This removes a function that was provided by the super class.
|
|
Before this commit the Puppet::Environments::Cached#get! was not needed
as it was defined in a parent class. Puppet::Environments::Combined#get!
now calls get! in environment objects instead of assuming how get!
should work.
This commit also refactors areas in the code where
Puppet::Environments::EnvironmentNotFound was raised after calling get
in favor of the new get! method.
|
|
This removes a function that was provided by the super class.
|
|
For PUP-2857 :undef was changed from being a PNilType to a PRuntimeType.
This stopped the undef literal in the language from being able to be
assigned to Optional parameters. However, this only happened when the
undef was the default expression for the parameter.
|
|
* pr/3146:
(maint) Modify other uses of get() to get!()
(PUP-3244) Add Puppet::Environment::Directories#get! method
(PUP-3244) Validate Environment Before Setting
(PUP-3244) Acceptance Tests for Nonexistent Environments
(PUP-3244) ENC ignores missing directory environments
Closes GH-3146
|
|
When a pkg certificate is in it's last 30 days before expiration, the
pkg tools emit a warning message so you can get a new certificate for
some operations. The 'latest' method issues a 'pkg -Hn <package>' which
trips this warning message, but the message was unexpected and 'latest'
would raise, failing the catalog application.
This commit simply ignores such certificate expiration warnings.
While I was in there, I split a very compact line of code across a couple
lines and added some spaces, in the name of readability.
|
|
PUP-3366 Fix issues with string/enum type assignable calculations
|
|
Previously, when checking if the `current` and `desired` triggers were
equivalent, we were silently deleting the `index` and `enabled` values from
the `current` trigger. If we later needed to delete the `current`
trigger, we would have lost its `index`, resulting in a call to
`Win32::TaskScheduler.delete_trigger(nil)` causing the error:
no implicit conversion from nil to integer
This commit ensure that we don't mutate the `current` or `desired` trigger.
|
|
(PUP-1165) Provide a default value for windows scheduled task trigger
|
|
This new function will return the directory environment or raise an
error if a directory environment does not exist. This gets rid of the
need to check if environments exist across the codebase before
continuing for the areas where we need.
|
|
Previously, the `#triggers` method on the scheduled task provider would
magically return single element or an array of multiple elements.
This commit changes the provider to always return an array, of possibly a
single element.
|
|
Previously, if a scheduled_task resource was created in the past, and
the desired value of the resource's trigger did not specify a
`start_date`, then puppet would think the resource was out of sync,
and attempt to delete the old trigger, and add the new one. This
process would repeat once per day, leading to spurious 'triggered
changed' messages, and reports.
This commit modifies the scheduled_task provider so that if the
desired value does not specify a `start_date`, then it will
effectively be ignored when comparing the current and desired
triggers.
|
|
The `enabled` and `index` trigger parameters are read-only, so they will be set
in the `current` trigger, but are not allowed in the `desired` trigger.
Previously, the `translate_hash_to_trigger` method performed validation based
on whether it was passed a `current` or `desired` trigger.
This commit moves the validation logic to the `validate_trigger` method, which
is only ever called with `desired` trigger values. It also allows the `index`
and `enabled` keys to be present in a trigger. This isn't an issue because they
are ignored for the purposes of determining if two triggers are the same.
The reason for this change, is because ultimately we don't want the
`translate_hash_to_trigger` method to mutate the `current` trigger, and this
commit makes it so that the `index` and `enabled` keys can be in the
`puppet_trigger` but will be ignored.
|
|
* pr/3136:
(PUP-3364) Improve the error message for numeric resource titles
|
|
This improves the error message when a numeric resource title is
used in a resource reference, or when a numeric attribute name is
referenced. The message used to be too generic, and used internal
Ruby types instead of puppet types in the message string.
|
|
hlindberg/PUP-3365_remove-deep-undef-mapping-in-3x-func-api
(PUP-3365) Change 3x deep map of undef to only do surface map
|
|
(PUP-3363) Make transformation of unparenthesized calls handle errors
|
|
After talking with Reid Vandewiele, it turns out that the problematic
behavior isn't directly the order of the classes themselves. Previous
assertions that there are possible conflicts from the classes when they
were done in one order or another are incorrect. The classes, when any
have parameters, are kept by the node in a hash keyed off of the class
name, which means that there is no possibility of them creating a
duplicate resource error.
The actual usecase comes down to *how* parameterized classes vs
unparameterized classes are often used. A parameterized class can often
be simply a set of shared data that the unparameterized classes depend
on (or inherit from) parameterized classes.
This modifies the test case for the reordering change to provide an
example of the use case here.
|
|
Without this patch classes declared from an ENC are evaluated in the
wrong order. This is a problem because classes declared without
parameters are evaluated prior to classes with parameters which causes
an Error: Duplicate declaration when the classes with parameters are
evaluated. According to the code comments for the
`evaluate_node_classes` method, the expected behavior is that classes
with an empty set of parameters will not conflict with classes that have
declared parameters.
|
|
Comparissons involving an unparentesized Enum were not correct
because an iteration with all? returns true if the set being
enumerated is empty.
This modifies the logic, and adds missing tests.
|
|
This fixes problems when a user enters commas where they are not
supposed to be. As a result, an expression will be parsed as being an
argument list for an unparenthesized function call. The transformation
logic for such calls did not take one case into account; a non call
followed by an argument list. e.g:
$a = 1,10
Which resulted in a strange AST model (a literal list with an assignment
and a 10).
This commit adds error checking and raising of an exception in the
transformation which is caught by parser_support and formatted into an
error - either about an illegal comma (when the LHS cannot possibly be
a call at all (as in the above exampel), or a more elaborate
message about that what could be a function call requires parentheses.
In order to enable positioning of the error message on the first comma
in the argumet list, the comma tokens were required in the expression
list fed to the transformer. Subsequently these tokens must be filtered
out by the transformation, and passed on in the raised exception (since
the receiver would otherwise not know which token that caused the
problem (it is nested inside the stucture it passes on to be
transformed).
Unparenthesized function calls are a very bad idea...
|
|
This changes the mapping of arguments to 3x function calls to not
map undef to empty strings except at the surface level. Other mappings
are still done as they are required for frozen strings, and values
having a type that is not supported by the 3x functions.
|
|
There were errors in the calculation of string/enum calculation.
Basically Enum == String, if String is size constrained then
Enum < String. This fixes this calculation.
There were no tests for this, they are now added.
|
|
Windows 2003 doesn't support symlinks, so the test would fail trying to
create one as a precondition for the test. Conditionally execute the
test on platforms that support symlinks.
|
|
zaphod42/issues/stable/pup-3190-cannot-load-4x-funcs-from-system
(PUP-3190) Don't assume puppet is in a lib dir
|
|
To provide a better out of the box user experience, Puppet will ensure
the existence of the default production directory environment. However
if this path has already been created as a symlink, the File resource
will ensure it is replaced with an empty directory.
Since an existing symlink is an indication that the user has already
made configuration changes, and the purpose of ensuring the existence of
the production directory environment is purely for assisting in new,
unmodified installations, this commit skips ensuring anything about the
production directory environment when a symlink is detected.
With Josh Partlow <jpartlow@puppetlabs.com>
|
|
|
|
(PUP-894) Be more lenient about CRL not yet valid errors
|
|
Previously, the windows service provider rescued exceptions of type
Win32::Service::Error. However, FFI-based versions of win32-service (v0.8.x)
no longer raise that type of error. Instead they raise SystemCallError.
So previously, if puppet failed to manage a service, e.g. service didn't
exist, puppet would try to rescue the exception specifying a class that
was not defined:
puppet resource service foo ensure=stopped
Error: /Service[foo]: Could not evaluate: uninitialized constant Win32::Service::Error
This regression was introduced as part of PUP-1283 when we migrated from
win32-service version 0.7.x to 0.8.x.
This commit modifies the various provider methods to more broadly rescue
StandardErrors and updates the spec tests to handle the negative cases.
Paired-with: Ethan J Brown <ethan@puppetlabs.com>
|
|
Previously, the agent would reject an SSL connection if the CRL it
downloaded from the CA had a `last_update` time that was slightly in the
future. The agent reports this as "CRL is not yet valid." This issue can
happen when the CA's time is slightly ahead of the agent's time, the CRL
is recently updated, and the agent doesn't already have a cached version
of the CRL (due to PUP-2103).
The CRL not yet valid error sometimes happens during acceptance testing
when we delete the agent's ssl directory, revoke a cert on the master
(which updates the CRL's last_update field), and run the agent (which
downloads the latest CRL).
This commit modifies the verify callback to ignore CRL not yet valid
errors provided all of the following are true:
* current_crl is not nil
* current_crl.last_update is not nil
* current_crl.last_update is strictly less than 5 minutes from now
It also adds specs around unspecified behavior, e.g. ensure the verify
callback returns false when errors are detected.
|
|
This commit adds specs for current behavior, especially that the verify
callback rejects the connection if preverify_ok is false, and we reject
CRLs whose last_update time is more than 5 minutes in the future.
|
|
* pr/3054:
(maint) Cleanup test to be more readable
(PUP-3174) Make settings catalog skip manifestdir if environmentpath
Closes GH-3054
|
|
The formatting was a little off, which made it hard to see what code was
in the test. This fixes the formatting and uses the resource matcher so
that it can provide a better error message.
|
|
|
|
Override the Ruby 2.x default of setting accept-encoding to gzip when puppet http_compression is set to false.
|
|
The loaders previously assumed that any installation of puppet would be
under a directory called lib. This holds true when running puppet from
source (during development), or in some package cases, but is not
generally true. This simplifying assumption was made so that the loading
path for both puppet system extensions (built in functions) and module
extensions could be loaded in the same manner: find the root of the
extender and loading code from `lib/puppet/...`.
This changes to loading to instead only assume that there is a `puppet`
directory and not the name of the parent. This, however, forces the
loader for modules to become specialized to only be able to find ruby
extentions, because they are in the 'lib' directory, which is how the
loader must now be configured.
|
